Security specialists have unearthed a group of Android VPN apps that surreptitiously convert user devices into proxy nodes, possibly engaging in nefarious activities unbeknownst to users. This revelation has sparked considerable apprehension regarding the safety of free VPN apps available on the Google Play Store.
The Satori Threat Intelligence team at HUMAN, a cybersecurity company, has pinpointed a collection of VPN apps that enlist user devices into a proxy network using a Golang library named PROXYLIB.
This discovery came to light in May 2023, initially with a solitary free VPN app, Oko VPN, exhibiting malicious actions and subsequently being removed from the Play Store.
Subsequent investigation revealed 28 associated applications, all since eradicated from the Google Play Store. Nonetheless, the threat endures as the perpetrators behind PROXYLIB refine their tactics. A recent HumanSecurity article unearthed malicious behavior in Oko VPN, a free app on the Play Store.
How PROXYLIB Operates
The PROXYLIB applications create a two-way link to a proxy network, effectively converting the device into a residential proxy node without the user’s authorization. These apps disguise themselves as genuine services, frequently posing as free VPNs, and utilize permissions like FOREGROUND_SERVICE and BOOT_COMPLETED to sustain persistence.
The native library, libgojni.so, manages incoming requests and facilitates communication with command-and-control (C2) servers. This enables the device to forward web requests to multiple online platforms, often utilized for activities such as ad fraud, particularly targeting video streaming services.
The LumiApps SDK Connection
A subsequent iteration of PROXYLIB was discovered to be distributed via an SDK known as LumiApps.
This service enables users to upload an APK and integrate the SDK automatically without requiring access to the source code.
The altered APKs are subsequently disseminated outside the Google Play Store, commonly as “mods” or patched editions of authentic apps.
Protecting Yourself From Proxylib Attacks
Protecting yourself from Proxylib attacks requires vigilance and proactive measures. Here are some steps you can take:
- Use Trusted VPN Apps: Stick to reputable VPN applications available on official app stores like Google Play Store or Apple App Store. Research the developer and read user reviews before downloading any VPN app.
- Check Permissions: Review the permissions requested by VPN apps before installation. Be cautious if an app requests excessive permissions that seem unnecessary for its functionality.
- Regularly Update Apps: Keep your VPN apps and other applications updated to the latest versions. Developers often release patches to fix security vulnerabilities.
- Avoid Unofficial Sources: Refrain from downloading apps from unofficial sources or third-party app stores. These sources may host modified or malicious versions of legitimate apps.
- Stay Informed: Stay updated on the latest cybersecurity news and advisories. Follow reputable cybersecurity blogs, forums, or news sources to stay informed about emerging threats like Proxylib attacks.
- Use Antivirus Software: Install reputable antivirus or mobile security software on your device. These programs can help detect and remove malicious apps or files, including those associated with Proxylib attacks.
- Monitor Data Usage: Keep an eye on your device’s data usage. Unusual spikes in data usage could indicate that a malicious app, such as one participating in ad fraud, is running in the background.
- Report Suspicious Activity: If you encounter any suspicious behavior or notice unusual activity on your device, report it to the app store and consider uninstalling the app in question.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment